Deploy key is a SSH key set in your repo to grant client read-only (as well as r/w, if you want) access to your repo.
As the name says, its primary function is to be used in the deploy process in replace of username/password, where only read access is needed. Therefore keep the repo safe from the attack, in case the server side is fallen.
-
Generate a ssh key
run
ssh-keygen -t rsa -b 4096 -C "{email}"
, leave the password empty as you want the deploy process keyboard-less.after the generation, file
id_rsa
andid_rsa.pub
can be found under.ssh
folder. -
add ssh key to repo's "Deploy keys" setting
cat .ssh/id_rsa.pub
-
Setup the git ssh key on the client machine
Git normally use the ssh key found in
.ssh/id_rsa
under user's home folder, so first you need to find out the home directory of the user.for example, on Ubuntu/Debian, in default, user
www-data
's home directory is/var/www
, so the ssh key file is/var/www/.ssh/id_rsa
).Then copy the
id_rsa
file from Step 1 to the right directory.You can test the connection by:
sudo -u {user} ssh -T git@github.com
*You might need to grant Github's key to known hosts.
If everything went well, you can see:
Hi {user}! You've successfully authenticated, but GitHub does not provide shell access.
Then you are all set!
Attention: make sure your repo url use git protocol not http, which means use
git@github.com:{user}/{repo}.git
not
https://github.com/{user}/{repo}.git
You can use /.ssh/config
file to config different ssh key for different repo. For detail, please follow the instruction in Ref.3 below.
You might wanna use this for
www-data
sudo mkdir /var/www sudo chown -R www-data:www-data /var/www/ sudo -u www-data ssh-keygen -t rsa -b 4096 -C "{hostname}"